FIG. 1 is a schematic representation of a known postage meter 1. Postage meter 1 includes a vault 3 in the form of a smart card chip, a microprocessor 5, and a printhead module 7. Postage meter 1 is designed to dispense postage in the form of a postage indicium applied to a mailpiece and to securely account for the dispensed postage in vault 3.
Vault 3 includes a central processing unit (CPU) 9, Read-Only Memory (ROM) 11, Random Access Memory (RAM) 13, Non-Volatile Memory (NVM) 15, and an Electrically Erasable Programmable Read-Only Memory (EEPROM) 16. CPU 9 controls the operation of vault 3 by executing code stored in ROM 11. RAM 13 serves as a volatile working memory during operation of vault 3 while NVM 15 includes conventional accounting registers that are updated to securely account for the postage dispensed by postage meter 1. EEPROM 16 is used to store personalized data for vault 3.
Printhead module 7 includes a smart card chip 17 containing a CPU 19, a ROM 21, a RAM 23, NVM 25, and EEPROM 27. The smart card chip 17 components are each used to permit the printing function of the postage meter 1 to be accomplished in a known manner. Further, printhead module 7 includes an application specific integrated circuit 29, a flash memory 31, and a printhead 33 which cooperate together with the smart card chip 17 to effectuate the printing of the postage indicium as is more fully described in U.S. Pat. No. 5,651,103 which is hereby incorporated by reference.
Postage meter 1 responds to a request to dispense postage which is entered via a keyboard (not shown). In response to the postage request, and prior to the printing of an indicium, the vault 3 and printhead module 7 are designed to perform a mutual authentication procedure as is more fully described in U.S. Pat. No. 5,923,762 which is hereby incorporated by reference. During the mutual authentication process, both the printhead module 7 and the vault 3 generate a common session key using a set of authentication keys (AK) that are stored in both ROM 11 and ROM 21. Since the generation of the session key is fundamental to the mutual authentication process, the security of the authentication keys is of critical importance. Accordingly, strong measures must be taken to prevent the compromise of the set of AK.
In postage meter 1, the conventional physical and logic security features of the smart card chips 3 and 17 are relied upon to prevent access to the AK's that are stored in the clear in ROM's 11, 21. However, the process by which the AK's are put into the mask for the smart card chip 17 can be improved upon from a security viewpoint. That is, the postage meter vendor typically receives the smart card chip 17 from a third party vendor with the AK's already contained in the smart card chip 17. The third party vendor gets the AK's from the meter manufacturer, such as for example, on a floppy disc. The third party vendor then masks the smart card chip 17 with the AK's. This process of providing the third party vendor with the AK's in the clear introduces an extra link in the chain of custody of the AK's that is not desirable.
In addition to the above, a distinct set of AK's is generated for a particular domain. A domain can be a specific country or a particular region of the world. The bottom line is that a mask for a smart card chip 17 for each set of domain authentication keys is typically created resulting in increased costs in creating the various domain chip masks. Moreover, a plurality of each domain specific smart card chips 17 must be produced and procured in bulk for each domain. This leads to increased inventory control procedures to accommodate the storage and distribution of the various smart card chips 17. Additionally, if the meter manufacturer begins selling or leasing postage meters in one domain and subsequently ceases doing business there, any surplus smart card chips 17 in inventory for that domain become scrap since they cannot be used for other domains.